Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

File Integrity Monitoring requires MDE agent version 10.8799 or later for legacy Windows systems

Microsoft has announced an important update regarding File Integrity Monitoring (FIM): following a change in the Microsoft Defender for Endpoint (MDE) pipeline, the feature now requires the Defender for Servers Windows client, meaning the MDE agent, version 10.8799 or later in order to function properly on legacy Windows systems. The change specifically affects downlevel systems such as Windows Server 2016, Windows Server 2012 R2, and other legacy clients, where earlier versions of the agent no longer guarantee the correct operation of file integrity monitoring. For organizations that use FIM as part of their strategies for controlling and detecting unauthorized changes, it is therefore essential to verify the deployed agent version and plan an upgrade where necessary.

Support for Kubernetes gated deployment for AKS Automatic

Support for Kubernetes gated deployment for AKS Automatic clusters is now generally available, expanding protection and control options in release processes on Kubernetes environments managed in Azure. To use this feature, the Defender for Containers sensor must be installed via Helm in the

Severity-based risk assignment for “Not evaluated” recommendations

Microsoft Defender for Cloud has introduced a significant change in the way recommendations previously marked as Not evaluated are handled. These recommendations now receive a risk level derived from their associated severity and are therefore prioritized in the overall list according to the assigned risk. The impact of this change is not merely visual or organizational; it also affects the overall recommendation status and the calculation of the Secure Score, because items that previously did not contribute to risk evaluation are now included. For customers that have not enabled Defender Cloud Security Posture Management (CSPM), the Not evaluated status is removed and replaced with a severity-based classification. To obtain a fully contextualized and environment-aware risk assessment, Microsoft continues to recommend enabling Defender CSPM at the subscription level.

Code-to-runtime enrichment for recommendations (preview)

Microsoft Defender for Cloud is introducing in preview the Code-to-runtime enrichment for recommendations feature, designed to provide end-to-end visibility throughout the entire software development lifecycle. The goal is to enable security teams to connect issues detected at runtime to their origin in the source code, while also understanding the actual extent of the impact generated by a vulnerability or an application change. Among the most relevant capabilities is the ability to follow the Software Development Life Cycle (SDLC) chain from source code to pipelines, from registries to runtime environments, so that the full path of a critical issue can be reconstructed. The feature also makes it possible to analyze the so-called blast radius, meaning the number of assets potentially affected by a single code change, and to trace a runtime recommendation back to the original source of the problem. This approach makes remediation more effective because it allows teams to address the issue at its origin, preventing the same problem from reappearing over time in different environments. For teams looking to strengthen collaboration among development, operations, and security, this new capability represents a concrete step toward a more mature DevSecOps posture.

On-demand antimalware scanning for Azure Files in Microsoft Defender for Storage (preview)

Microsoft has extended the preview of the on-demand antimalware scanning capability in Defender for Storage to also include Azure Files. With this enhancement, it is now possible to scan entire Azure Storage accounts containing both blobs and files, significantly expanding the scope of protection compared to previously covered scenarios. Scans can be initiated directly from the Azure portal or through Representational State Transfer (REST) Application Programming Interfaces (APIs), and they can be integrated into automated processes using Azure Logic Apps, Azure Automation runbooks, or PowerShell scripts. The feature is based on Microsoft Defender Antivirus and uses the most up-to-date antimalware definitions available for each scan. A particularly useful operational element is the presence of a cost estimate in the Azure portal before the scan is started, a feature that helps Information Technology (IT) teams plan service usage more effectively. This extension makes Defender for Storage better suited to scenarios where a higher level of verification is required for shared data and file-based repositories, especially in distributed enterprise environments.

New format for individual recommendations in the Azure portal (preview)

Microsoft Defender for Cloud is introducing in preview a new recommendation format in the Azure portal, based on displaying individual findings instead of the previous aggregated model. This change brings a major transformation to the user experience: vulnerabilities, exposed secrets, and misconfigurations that were previously grouped under a parent recommendation are now shown as distinct items. As a result, users may notice a higher number of recommendations in the overall list, not because new issues have emerged, but because the representation has become more detailed and granular. For the time being, the new format coexists with the previous one, which will, however, be deprecated in the coming months. The new individual recommendations are marked with the Preview and New version tags, which highlight their early status and also make them easier to filter; moreover, at this stage these recommendations do not yet affect the Secure Score. This is a natural evolution aligned with Microsoft’s intention to make security governance more precise, transparent, and action-oriented.

Governance and policy management

Azure Policy

Retirement of the login/logout workaround for fast Azure Policy enforcement

Microsoft has improved Azure Policy responsiveness, making the application of new assignments and policy updates in Azure Resource Manager mode effective within 5 minutes. Thanks to optimizations in the cache refresh mechanism, the so-called login/logout workaround can now be retired. This was a procedure historically used by some customers to manually accelerate the propagation of policy changes. Starting April 30, 2026, this workaround will no longer be available. This decision is part of the ongoing evolution of the service and is intended to further improve overall performance and reliability, offering all customers more predictable, consistent, and efficient behavior in the governance of Azure environments.

Monitoring

Azure Monitor

Log Analytics Workspace: summary rules now support manual “Retry bin” (preview)

Microsoft has introduced a new preview capability for summary rules in Log Analytics Workspace, designed to simplify the handling of errors that may occur during batch aggregation processes. Summary rules make it possible to run periodic aggregations on data stored in the workspace and reimport the summarized results into a custom destination table. However, when a single time interval, or bin, is not processed correctly, gaps can appear in the summarized dataset. With the new Retry bin capability, it is now possible to intervene in a targeted way by rerunning only the bin that returned an error, without having to redefine the existing rule or rebuild the destination table. To trigger the retry, it is sufficient to specify the

Managed GPU metrics for AKS in Azure Monitor (preview)

Microsoft has introduced public preview support for managed Graphics Processing Unit (GPU) metrics for Azure Kubernetes Service (AKS) in Azure Monitor, addressing an increasingly common need in environments running GPU-accelerated workloads. In many scenarios, IT and DevOps teams struggle to obtain unified visibility into GPU utilization alongside Kubernetes cluster metrics, especially when they must rely on manual exporter configurations and dedicated tools. With this enhancement, performance and utilization data from node pools enabled with NVIDIA GPUs are automatically exposed within managed environments based on Prometheus and Grafana. In this way, GPU telemetry becomes part of the same observability stack already used to monitor the cluster, simplifying capacity planning, resource optimization, and operational monitoring activities. This is a particularly interesting evolution for organizations adopting Artificial Intelligence (AI) and machine learning models on AKS and requiring more integrated, consistent, and immediate monitoring tools.

OTLP data ingestion in Azure Monitor with OpenTelemetry Collector (preview)

Microsoft has announced public preview support for native ingestion of OpenTelemetry Protocol (OTLP) signals in Azure Monitor, making it easier to directly send metrics, logs, and traces from applications and platforms instrumented with OpenTelemetry. Thanks to this capability, OpenTelemetry Collector can be configured to send data directly to Azure Monitor cloud ingestion endpoints using Microsoft Entra for authentication. Enablement can take place through Application Insights, which is the recommended approach in most cases because it automates the creation of the required resources and provides integrated application performance management capabilities, or through manual configuration based on data collection endpoints, data collection rules, and dedicated workspaces. The ingested OTLP metrics are stored in Azure Monitor Workspaces and can be queried and used for alerts through PromQL, while logs and traces are saved in Log Analytics workspaces according to new OpenTelemetry tables and semantics. This enhancement strengthens Azure Monitor’s alignment with open standards for modern observability and represents an important step toward simplifying the monitoring of distributed, hybrid, and multicloud environments.

Conclusions

The updates introduced in March 2026 confirm ever more clearly the direction Microsoft has taken: building a model for managing and protecting hybrid and multicloud environments that is increasingly centralized, intelligent, and integrated across the entire lifecycle of resources and applications. On the one hand, Microsoft Defender for Cloud is evolving toward security that is more contextualized, granular, and focused on true risk priority, with features that connect code, pipelines, and runtime more closely than ever before. On the other hand, services such as Azure Policy and Azure Monitor continue to improve in terms of speed, reliability, and alignment with modern observability standards. For IT teams, this means that adopting these new capabilities must go hand in hand with an operational review of processes: verifying agent technical prerequisites, preparing for changes in the portal experience, taking advantage of new automation options, and investing in greater convergence among governance, monitoring, and security. In summary, the message that emerges is clear: to manage increasingly distributed and complex infrastructures, it is no longer enough to simply react to events; it is becoming essential to adopt a proactive, continuous approach supported by artificial intelligence.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Microsoft Sovereign Cloud: more governance, productivity, and AI—even in fully disconnected environments

Microsoft has expanded the capabilities of Microsoft Sovereign Cloud to help organizations meet digital sovereignty requirements, while still maintaining governance, productivity, and innovation in artificial intelligence—even in fully disconnected scenarios.

The update introduces the “Sovereign Private Cloud” stack, which brings together Azure Local, Microsoft 365 Local, and Foundry Local across connected environments, intermittently connected environments, and air-gapped (isolated) environments. This enables consistent policy enforcement and operational continuity while remaining within strict sovereignty boundaries.

Key updates include:

Enhancements to Foundry Local: Add support for modern infrastructure and enable local execution of large and multimodal AI models on customer-owned hardware (including partner platforms such as NVIDIA), delivering “in-boundary” inference and APIs without requiring external connections or services.

Azure Local in disconnected mode: Enables running and governing mission-critical infrastructures without cloud connectivity, ensuring control and compliance even offline.

Microsoft 365 Local in disconnected mode: Allows organizations to keep essential productivity services—such as Exchange Server, SharePoint Server, and Skype for Business Server—entirely within the customer perimeter, with no external dependencies.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Updated logic for CIEM recommendations in Microsoft Defender for Cloud

Microsoft Defender for Cloud is updating the logic used to calculate Cloud Infrastructure Entitlement Management (CIEM) recommendations, now available as a native capability on Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The goal of this update is to improve recommendation accuracy, with potential impacts on results already visible in the portal.

Specifically, the identification of inactive identities is no longer based on sign-in activity, but on the presence of unused role assignments. In addition, the observation window is extended to 90 days (previously 45), and identities created within the last 90 days are excluded from the inactivity assessment. The Permissions Creep Index (PCI) metric is also being retired and will no longer appear in recommendations. CIEM onboarding is simplified by removing the need for elevated permissions that are considered high risk. Overall, this change provides a more reliable view of access-related risk and makes CIEM adoption more practical in enterprise and multicloud environments.

Alert simulation for SQL servers on machines

The SQL simulated alerts capability in Microsoft Defender for Cloud is now generally available. This update enables security teams to safely validate SQL protections, detections, and automated response workflows without introducing real risk into production environments.

Simulations generate realistic alerts, complete with SQL context and machine context (both on Azure VMs and on machines connected via Azure Arc), enabling end-to-end testing of playbooks, SOC procedures, and operational readiness levels. Alerts are produced locally through a secure script extension, with no external payloads and no impact on production resources—an approach particularly useful for periodic exercises, audits, and ongoing hardening of incident response processes.

Scanning support for Minimus and Photon OS container images

The vulnerability scanner in Microsoft Defender for Cloud, based on Microsoft Defender Vulnerability Management, expands its coverage to include Minimus and Photon OS container images as well. The goal is to identify vulnerabilities in these distributions and help teams verify that released images meet appropriate security standards, especially in CI/CD pipelines and high-churn containerized environments.

As the number of analyzed image types increases, the volume of scanning may grow and, as a result, there may be an increase in costs associated with vulnerability assessment. From an operational standpoint, extending coverage is an important step toward reducing visibility gaps in the container supply chain, especially when adopting minimalist distributions to reduce the attack surface.

Threat protection for AI agents in Foundry with Microsoft Defender for Cloud (preview)

Microsoft Defender for Cloud introduces, in Preview, a new threat protection capability for AI agents developed with Foundry, included in the Defender for AI Services plan. The protection is designed to cover the entire lifecycle—from development to runtime—with the goal of identifying and mitigating high-impact, actionable threats, aligned with OWASP guidance for Large Language Model (LLM)-based systems and agentic architectures.

With this update, Microsoft further expands AI security coverage within Defender, helping organizations protect a growing number of AI platforms and implementations while maintaining a consistent approach across application controls, posture management, and in-operation detections.

Database-level recommendations experience for SQL Vulnerability Assessment (preview)

Microsoft Defender for SQL introduces, in Preview, a new way to consume SQL Vulnerability Assessment (SQL VA) recommendations, based on per-database evaluations. The update applies to SQL VA across all supported types (both PaaS and IaaS), including classic and express configurations, and is available in both the Azure portal and the Defender portal.

In the new model, each SQL VA rule generates a distinct assessment for each impacted database, and those assessments are surfaced and managed as actual recommendations on the Defender for Cloud Recommendations page. Previously, results were aggregated at the server or instance level and presented under “umbrella” recommendations (for example, those related to remediating findings for SQL databases or for SQL servers on machines).

This new experience does not change scanning logic, rules, queries, schedules, APIs, or pricing; instead, it changes how results are consumed and managed, aligning them with Defender’s uniform recommendations model. During the preview, these new assessments do not affect the Secure Score in the Azure portal, but they do contribute to the Secure Score in the Defender portal, while the aggregated server-level experience remains available in parallel.

Binary drift with blocking support (preview)

The binary drift capability evolves and, in Preview, enables not only detection of unauthorized changes, but also blocking them. In practice, you can configure policies that prevent binaries from executing inside containers when they appear tampered with or show unexpected modifications compared to the expected image.

This type of enforcement adds a particularly effective layer of protection against runtime and post-deployment compromise techniques, helping contain incidents that stem from filesystem alterations inside the container or the insertion of unauthorized components. For teams managing container workloads at scale, the shift from “detect” to “detect + prevent” represents a tangible move toward more proactive controls.

Runtime anti-malware for containers: detection and blocking (preview)

Microsoft Defender for Cloud introduces, in Preview, runtime anti-malware detection and prevention for containerized workloads, supporting Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).

The capability operates in real time and allows defining anti-malware rules that set conditions for generating alerts and, when appropriate, blocking malware—strengthening cluster protection without relying exclusively on upstream controls (such as image scanning). Rule-based configuration also helps reduce false positives, balancing security and operations, especially in multicloud scenarios where policy consistency and response actions are often key requirements for security and platform engineering teams.

Backup & Resilience

Azure Backup

Vault-based backup for Azure Disks (preview)

With Azure Disk Backup, data is currently protected through regular crash-consistent snapshots of Azure disks, stored within the subscription and tenant in a resource group known as the Operational Tier of Azure Backup. This approach enables fast “operational” restores for common scenarios such as accidental deletions or data corruption, and it is often paired with Azure VM Backup, which provides application-aware protection for virtual machines.

In line with backup best practices (the 3-2-1 strategy), Microsoft introduces Vault Tier backups in Private Preview, extending disk-level protection with vault isolation (offsite), independent access controls, and immutability—key elements for improving resilience against ransomware and tenant-level compromises, and for aligning disk backup security with a cyber-recovery posture comparable to what is already adopted for VM backups.

The preview enables two core capabilities: Vault Tier Backup, to retain isolated copies in the vault to meet compliance and resilience requirements; and Regional Disaster Recovery, which allows restoring disk backups to an Azure paired region, opening up new disaster recovery scenarios in combination with Azure VM Backup and Azure Site Recovery.

Monitoring

Azure Monitor

Data transformations in the Azure Monitor pipeline (preview)

Azure Monitor pipeline data transformations are available in Public Preview and allow shaping telemetry before ingestion into Azure Monitor, with the goal of improving data quality, simplifying analysis, and controlling volumes (and therefore the impact) of large-scale ingestion.

Integrated into the Azure Monitor pipeline for edge and multi-cloud scenarios, transformations enable filtering, aggregating, standardizing, and remapping data such as Syslog and Common Event Format (CEF), reducing noise and redundancy “upstream.” Automated schema standardization mechanisms and validation guardrails help maintain compatibility with standard tables, preventing data flow disruptions when transformations are applied.

In addition, the preview includes built-in templates in Kusto Query Language (KQL) for common use cases and advanced filtering and aggregation functions that, for example, allow compressing high-frequency events into meaningful time windows. In short, by bringing data optimization closer to the source, this capability aims to produce cleaner datasets and faster insights even in complex, high-volume environments.

Secure ingestion and pod placement for Azure Monitor pipeline (preview)

Microsoft announced in Public Preview new capabilities for Azure Monitor pipeline that aim to improve both ingestion security and operational management of Kubernetes components.

On the secure ingress side, the pipeline can now receive traffic from external endpoints using TLS and mutual TLS (mTLS) for TCP-based receivers, introducing support for the Bring Your Own Certificates (BYOC) model. This allows organizations to retain full control over certificate lifecycle management, meet regulatory requirements, and integrate configuration with their existing Public Key Infrastructure (PKI). In practice, you can configure mTLS with your own certificates for mutual client/server authentication, or adopt TLS with a custom server certificate and a dedicated client Certificate Authority (CA).

In parallel, the new pod placement capability provides native controls to determine how pipeline instances are scheduled onto cluster nodes. Through execution placement configuration, you can direct pods to nodes with specific capabilities (for example, high-resource nodes or nodes in particular zones), control instance distribution to reduce resource contention, and apply isolation criteria that are useful in large-scale deployments.

Conclusions

This month’s updates confirm a very clear direction: Microsoft is pushing toward an increasingly uniform, proactive, and “AI-ready” model for management and protection—one that works consistently not only in Azure, but also across hybrid, multicloud, and even disconnected environments.

The evolution of Microsoft Sovereign Cloud and the “Sovereign Private Cloud” stack shows how governance and productivity can extend into air-gapped contexts, while on the security front Defender for Cloud continues to increase both coverage and depth: more reliable and adoptable CIEM, alert simulations to validate SOC processes, more decisive runtime protections for containers, and growing focus on protecting AI workloads and agents. In parallel, Azure Backup strengthens resilience with the “vault tier” approach for disks, aligning protection with more modern cyber-recovery requirements, and Azure Monitor brings optimization closer to the source with data transformations and secure ingestion options (TLS/mTLS) designed for distributed environments.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Update to the CIEM recommendations logic

In the context of the retirement of Microsoft Entra Permissions Management, Microsoft Defender for Cloud is updating the logic behind CIEM recommendations across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with the goal of improving accuracy and reducing noise in alerts. Among the key changes: the identification of inactive identities is now based on unused role assignments (rather than sign-in activity), the observation window is extended to 90 days (previously 45), and identities created within the last 90 days are not evaluated as inactive. Operationally, this update tends to make recommendations better aligned with actual risk, but it may also change the number and types of findings visible across multicloud tenants.

AWS CloudTrail ingestion (preview)

In preview, ingestion of AWS CloudTrail management events into Microsoft Defender for Cloud is now available. By enabling collection, Defender for Cloud enriches Cloud Infrastructure Entitlement Management (CIEM) analytics by including observed activity (management events) alongside the entitlement signals already available (for example, Access Advisor data). This additional usage context helps make security recommendations in Amazon Web Services (AWS) more accurate, improving the identification of unused permissions, dormant identities, and potential privilege escalation paths. The feature supports both individual AWS accounts and AWS Organizations with centralized logging, simplifying adoption in multi-account organizations.

Microsoft Security Private Link (preview)

Microsoft Defender for Cloud introduces Microsoft Security Private Link in preview, with the goal of enabling private connectivity between the security platform and protected workloads. The integration is implemented by creating private endpoints within the Virtual Network, so that traffic to Defender services remains on Microsoft’s backbone network, avoiding exposure on the public Internet and reducing the attack surface associated with public endpoints. At this stage, private endpoint support is available for the Defender for Containers plan, making it particularly interesting for Kubernetes clusters in “network-restricted” environments with controlled egress requirements.

Integration with Endor Labs

The integration between Microsoft Defender for Cloud and Endor Labs is now generally available (GA). This enhancement strengthens vulnerability analysis by introducing a reachability-based Software Composition Analysis (SCA) approach, which highlights vulnerabilities that could actually be exploitable along the “from code to runtime” path. In practice, the integration helps teams prioritize remediation more effectively, distinguishing what is merely “present” in libraries or dependencies from what is truly reachable and exploitable in running applications—reducing operational overhead and improving triage quality.

Cloud posture management adds serverless protection for Azure and AWS (preview)

Microsoft Defender for Cloud is extending, in preview, the capabilities of the Defender Cloud Security Posture Management (CSPM) plan to serverless workloads in Azure and Amazon Web Services (AWS), both in the Azure portal and in the Defender portal. This capability introduces automatic discovery and security posture assessment for components such as Azure Functions, Azure Web Apps, and AWS Lambda, providing centralized inventory and recommendations for misconfigurations, vulnerabilities, and insecure dependencies. This is a significant step for modern event-driven and microservices scenarios, where the traditional perimeter is more blurred and governance requires continuous visibility and consistent controls even for non-server-based resources.

Conclusions

This month’s updates focus on Microsoft Defender for Cloud and confirm a very clear direction: improving signal quality, expanding multicloud coverage, and reducing operational friction—especially in hybrid and distributed environments. The update to CIEM (Cloud Infrastructure Entitlement Management) recommendations logic goes exactly in this direction, making the identification of inactive identities and unused permissions more reliable thanks to a broader observation window and criteria that better reflect real usage. On the AWS side, ingestion of CloudTrail management events (preview) adds valuable context to refine analytics and more accurately identify escalation paths and unnecessary privileges, while the introduction of Microsoft Security Private Link (preview) opens up interesting scenarios for those who must operate in “network-restricted” environments with strict egress requirements and a need to minimize public exposure. Finally, the Endor Labs integration reaching GA and the extension of CSPM to serverless workloads (preview) highlight the evolution toward an increasingly “code-to-cloud” security posture—better able to prioritize remediation and to ensure visibility and governance even in modern event-driven models.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Decommissioning of Windows Server 2022 on Azure Arc–enabled Azure Kubernetes Service

Microsoft has announced the decommissioning of Windows Server 2022 on Azure Kubernetes Service (AKS) enabled by Azure Arc, effective from October 2026. Following this change, customers who are using node pools based on Windows Server 2022 in Azure Arc–enabled AKS clusters are encouraged to proactively plan migration to supported alternatives before the retirement date. After October 2026, Windows Server 2022 on Azure Arc–enabled AKS will no longer receive updates or security fixes, and new deployments based on this operating system will no longer be supported.

The announcement confirms Microsoft’s focus on modern, cloud-ready platforms and operating system images optimized for containers, targeting Kubernetes scenarios both in Azure and in hybrid environments through Arc. Organizations therefore have a clear timeline to assess their containerized workloads, identify dependencies and constraints, and adopt supported Windows Server versions or other recommended options. This transition path is essential to preserve adequate levels of security, supportability, and compliance, while minimizing operational risk across distributed and Arc-enabled Kubernetes clusters.

New migration experience for SQL Server in Azure Arc

A new migration experience for Structured Query Language (SQL) Server instances managed through Azure Arc is now generally available. This approach integrates Azure Database Migration Service (DMS) with guided support from Copilot, providing an end-to-end path to Azure SQL Managed Instance that covers initial assessment, planning, migration execution, and post-cutover validation within a single flow.

The solution is designed for environments where SQL Server is still running on-premises or in other clouds, but is managed through Azure Arc to centralize governance and compliance. Thanks to automation and the guidance offered by Artificial Intelligence (AI), IT teams can reduce the risks associated with migration, standardize the process across multiple instances, and accelerate the transition to a managed Platform as a Service (PaaS) model, aligned with data estate modernization strategies.

Azure Kubernetes Fleet Manager for Azure Arc–enabled clusters (preview)

Azure Kubernetes Fleet Manager extends in public preview its support for Kubernetes clusters enabled with Azure Arc. Through a single control plane, organizations can register, govern, and deploy workloads consistently across Azure Kubernetes Service (AKS) clusters in Azure, on-premises Kubernetes clusters, and clusters running in other clouds.

The solution makes it possible to apply uniform configurations, update strategies, and security policies across all environments, reducing the operational complexity typical of hybrid and multicloud scenarios. This capability is particularly useful for managing distributed Artificial Intelligence (AI) workloads and deployments in edge locations, where standardizing management and security models is crucial to ensure reliability, scalability, and centralized control.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Native integration between Microsoft Defender for Cloud and GitHub Advanced Security (preview)

A native integration between Microsoft Defender for Cloud and GitHub Advanced Security is now available in preview, designed to protect cloud-native applications across the entire lifecycle, from code to runtime. In response to the increasing sophistication of software supply chain attacks, the solution introduces runtime context as a primary criterion for risk prioritization, enabling development and security teams to focus on truly exploitable vulnerabilities and remediate them more quickly through Artificial Intelligence (AI)–assisted remediation mechanisms.

Key capabilities include real-time visibility across the entire application lifecycle and the ability for security teams to launch remediation campaigns that notify GitHub owners directly, open GitHub issues from within Defender for Cloud, and monitor their status. By linking runtime context back to the code, developers can quickly map threats to the relevant repository, while security teams gain full traceability from code to execution. The use of Copilot Autofix and the GitHub Copilot coding agent makes it possible to automatically generate remediation suggestions, significantly reducing time to fix and improving the quality of applied remediations.

New Azure Copilot agents integrated into the portal and operational tools (preview)

The new phase of Azure Copilot introduces specialized agents, available in private preview, integrated directly into the Azure portal, PowerShell, and the Command Line Interface (CLI). These agents are designed to support customers in migration, day-to-day operations, and ongoing modernization of workloads running anywhere, enabling end-to-end lifecycle management of resources. Azure Copilot evolves the chat experience into a full-screen command center, powered by advanced reasoning capabilities based on GPT-5, artifact generation, and scenarios driven by Azure Resource Manager (ARM).

Users can invoke Copilot within existing workflows through contextual, personalized experiences that include conversation history and inline actions in the Azure portal. The new capabilities honor existing Role-Based Access Control (RBAC) mechanisms, Azure Policy, and compliance frameworks, and they always require explicit confirmation before applying changes.

Among the agents’ capabilities are: Deployment, to simplify the planning and rollout of infrastructure aligned with the best practices of the Well-Architected Framework; Migration, to accelerate migration and modernization with automated discovery and AI-driven Infrastructure as a Service (IaaS) / Platform as a Service (PaaS) recommendations, integrating with GitHub Copilot to modernize .NET and Java applications; Optimization, to highlight high-impact actions in terms of cost and sustainability, comparing financial results and carbon emissions and automating execution through agentic workflows; Observability, which leverages metrics, traces, and logs from Azure Monitor Application Insights or Service Groups to investigate and diagnose full-stack applications and provide mitigation steps; Resiliency, with recommendations for zonal resilience, auto-remediation scripts, orchestration of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets, built-in ransomware protection, and contextual insights for more robust configurations; Troubleshooting, which enables users to start troubleshooting sessions, obtain root cause analyses and mitigation suggestions for virtual machines, Kubernetes, databases, and other resources, including the automatic creation of support tickets when escalation is required.

Security posture management for serverless resources in Microsoft Defender for Cloud (preview)

At the end of November, Microsoft Defender for Cloud will introduce, in preview, security posture management for serverless resources. As the adoption of serverless solutions in multicloud environments increases at the expense of purely Infrastructure as a Service (IaaS) models, potential entry points multiply and lateral movement becomes easier for attackers, making these resources particularly exposed.

The new serverless coverage in Defender for Cloud provides deeper visibility into compute environments and application platforms based on managed functions and components. By integrating serverless posture information into attack paths, the solution strengthens end-to-end security with comprehensive protection for workloads and services. In preview, organizations will have access to Cloud Security Posture Management (CSPM) insights for resources such as Azure Functions, Azure Web Apps, and Amazon Web Services (AWS) Lambda; they will be able to identify and visualize risk, analyze attack paths, continuously monitor misconfigurations, and detect vulnerable instances. The result is a strengthened security posture across the entire lifecycle of modern applications, aligned with the evolution toward cloud-native and serverless architectures.

Unified posture management and threat protection for AI agents in Microsoft Defender (preview)

Preview capabilities for unified security posture management and threat protection for Artificial Intelligence (AI) agents are now available in Microsoft Defender as part of Microsoft Agent 365. With the growing adoption of agentic applications across pro-code, low-code, and no-code environments, the complexity and attack surface of digital estates increase significantly. Both AI developers and security administrators need a unified view of AI assets to govern security posture and reduce risk, while Security Operations Center (SOC) analysts must be able to correlate AI security signals with contextualized alerts to speed up remediation.

The new capabilities address these needs in three main areas: complete visibility into the posture of AI agents through a unified experience that offers visibility, posture management, and threat protection for agents distributed across pro-code, low-code, and no-code platforms, reducing issues such as shadow agents and agent sprawl; risk reduction through security recommendations and attack path analysis specific to agentic applications, helping teams identify and fix vulnerabilities before compromise; and advanced protection that enables detection, investigation, and response to threats targeting AI agents—such as prompt injection, exposure of sensitive data, and malicious use of tools—across models, agents, and cloud apps. The new detections correlate signals with threat intelligence, delivering a complete view of alerts. The distinctive element of Defender’s AI security offering is its end-to-end approach, from build-time to runtime, with unified protection that covers models, agents, Software as a Service (SaaS) applications, and cloud infrastructure.

Unified cloud security with Microsoft Defender in hybrid and multicloud environments (preview)

A new unified cloud posture management experience for Microsoft Defender for Cloud (MDC) customers is now available in preview. Security teams increasingly have to manage risk in complex hybrid and multicloud environments, where fragmented signals, siloed tools, and disjointed views slow down threat detection and response. The new native integration will bring Microsoft Defender for Cloud into the Defender portal dedicated to security roles, eliminating silos and enabling SOC teams to see and manage threats across all environments from a single console.

The experience will include a cloud security dashboard that unifies posture management and threat protection, offering a comprehensive view of the environment; unified cloud posture capabilities within Exposure Management, to display assets, vulnerabilities, attack paths, security scores, and prioritized recommendations in a single view; and a centralized asset inventory, with a consolidated view of code and cloud resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), supporting posture validation and logical segmentation of environments.

Complementing this integration, granular RBAC controls will help reduce operational risk and simplify compliance in multicloud contexts. With threat protection already deeply integrated into the Defender portal, extending it to posture management will deliver a complete cloud security model within a unified experience. The Azure portal will nonetheless remain a key reference point for DevOps personas and for onboarding new resources covered by Defender for Cloud.

New Microsoft Defender capabilities for proactive actions during attacks (preview)

Microsoft Defender is introducing, in preview, several innovations designed to strengthen the ability to detect and counter ongoing attacks. Among these, Predictive Shielding represents an evolution of the automatic attack disruption capability: once a compromised resource has been contained, it leverages threat intelligence and insights derived from the relationship graph to predict potential lateral movements by attackers and apply targeted, just-in-time hardening actions, such as changes to Group Policy Objects (GPOs) or disabling Safe Boot.

This approach drastically reduces the number of potential attack paths, concentrating risk on a much smaller set of trajectories and optimizing operational continuity. Microsoft is also extending automatic attack disruption capabilities—previously limited to Defender solutions—to third-party environments such as AWS, Proofpoint, and Okta when their signals are ingested via Microsoft Sentinel. In this way, threats such as phishing, adversary-in-the-middle attacks, and identity compromise can be detected and contained in near real time even on federated accounts and external cloud environments.

Finally, a new Threat-Hunting Agent will allow analysts to orchestrate threat hunting sessions in natural language, asking questions such as “Which devices have communicated with this domain in the last 24 hours?” and receiving summarized answers, the underlying Kusto Query Language (KQL) queries, and dynamic suggestions for further investigation—all within a chat interface. The agent will also provide contextual insights and visualizations, such as timelines, making advanced hunting capabilities accessible even to those without deep query expertise.

Integrated threat detection in Azure Backup for virtual machines, powered by Microsoft Defender for Cloud (preview)

Azure Backup is introducing, in public preview, integrated threat detection capabilities for backups of Azure virtual machines (VMs), powered by Microsoft Defender for Cloud. Restore points are analyzed for malicious indicators such as traces of malware or ransomware, allowing teams to assess the security state of backups before using them in a recovery operation.

Suspicious activities are surfaced through Defender for Cloud, enabling security and operations teams to avoid restoring compromised images and to react more quickly to attacks that might otherwise remain hidden within backup data. This integration strengthens alignment between data protection strategies and security practices, transforming backup from a simple recovery mechanism into an active component of defense against threats and improving the overall resilience of Azure environments.

Backup & Resilience

Azure Backup

Vaulted backup for Azure Data Lake Storage Gen2

Vaulted backup for Azure Data Lake Storage (ADLS) Gen2 is now generally available through Azure Backup, providing organizations with secure, off-site protection for data stored in their storage accounts. This capability allows you to create an independent copy of ADLS Gen2 data in a backup vault, isolated from the source account, thereby mitigating the risk of accidental deletions, malicious activity, and ransomware. Customers can also restore data to alternative storage accounts, enabling “clean recovery” scenarios and increasing the overall resilience of the environment.

The solution supports flexible, automated schedules, with daily or weekly backup policies and the option to run on-demand backups when needed. Long-term retention of backups is also supported, for up to 10 years, helping organizations meet compliance and archival requirements. Security aspects are built in by design, thanks to features such as soft delete, immutability, encryption, and multi-user authorization to protect the data stored in the vault. At the time of general availability, vaulted backups can be configured for block blobs in ADLS Gen2 accounts and are available in a subset of regions compared to the public preview, with an expanded geographic coverage planned over the coming months.

Monitoring

Azure Monitor

Unified onboarding experience in Azure Monitor for AKS and virtual machines

Azure Monitor now offers a unified onboarding experience for Azure Kubernetes Service (AKS) clusters and virtual machines (VMs). Instead of having to follow separate procedures and flows, with different extensions depending on the type of workload, organizations have a single streamlined path that deploys the latest Azure Monitor capabilities with one click.

This approach significantly reduces the risk of configuration drift across environments, accelerates the adoption of common monitoring baselines, and makes it easier to standardize observability in mixed contexts that rely simultaneously on AKS clusters and VM-based workloads. From a centralized, AI-powered management perspective, having a consistent onboarding model is a key element to ensure telemetry data quality, uniform controls, and the ability to apply advanced analytics and automation at scale.

Advanced sampling and enriched data collection in the Azure Monitor OpenTelemetry Distro

The Azure Monitor OpenTelemetry (OTel) Distro is now generally available with advanced sampling capabilities and richer data collection features. The solution provides more flexible sampling options—for example, rate-based or trace-aware strategies—and improves correlation across logs, metrics, and traces.

The goal is to enable organizations to reduce noise and the overall volume of telemetry while maintaining full visibility into critical transactions and the most business-relevant application scenarios. In environments characterized by distributed architectures, microservices, and hybrid or multicloud workloads, this evolution supports a more sustainable and effective observability model, and also facilitates the application of Artificial Intelligence (AI) algorithms for proactive anomaly detection, automated problem diagnosis, and prioritization of operational interventions.

Recommended alerts for Azure Monitor Workspace (preview)

Azure Monitor is introducing, in preview, a recommended alerts feature that can be enabled with one click in the portal for Azure Monitor Workspaces that collect managed Prometheus metrics. These are preconfigured alert rules designed to monitor workspace limits and ingestion quotas, with the goal of promptly identifying throttling conditions and preventing the loss of metrics or the creation of “blind spots” in the observability platform.

Thanks to these recommended alerts, teams can quickly establish a consistent monitoring posture across multiple environments without having to design every single rule from scratch. For architects managing distributed environments—often hybrid and multicloud—this capability is a practical way to raise the reliability level of monitoring, freeing up time to focus on optimizations and on introducing advanced analytics logic supported by Artificial Intelligence (AI).

New OpenTelemetry visualizations and advanced monitoring experience for Azure VMs and Azure Arc servers (preview)

Azure Monitor is introducing, in public preview, new OpenTelemetry (OTel)–based visualizations and a unified monitoring experience for virtual machines (VMs) in Azure and servers enabled with Azure Arc. This new mode consolidates key observability capabilities—metrics, logs, and a topology-style representation of dependencies—into a single view aligned with the OpenTelemetry data model.

This makes it easier to analyze end-to-end performance and identify points of failure, especially for organizations that are already standardizing application and infrastructure telemetry on OpenTelemetry. For hybrid and multicloud scenarios, the ability to have a consistent view across resources in Azure and servers managed via Azure Arc helps IT teams reduce tool fragmentation, simplify troubleshooting, and lay the groundwork for increasingly automated, AI-powered management models.

Conclusions

In conclusion, this month’s updates strongly confirm Microsoft’s trajectory toward a truly unified, hybrid, Artificial Intelligence (AI)–powered cloud management and security model, in which Azure Arc becomes the common thread connecting datacenters, edge locations, and public clouds. On the one hand, advancements on the management front—such as the new migration experience for SQL Server to Azure SQL Managed Instance, support for Azure Kubernetes Fleet Manager for Arc-enabled clusters, vaulted backup for Azure Data Lake Storage Gen2, and the new OpenTelemetry-based monitoring experiences—equip architects with the tools to rationalize distributed architectures, reduce technical debt, and improve observability and resilience. On the other hand, innovations in Microsoft Defender for Cloud and the broader Defender platform—including integration with GitHub Advanced Security, posture management for serverless resources and Artificial Intelligence (AI) agents, the new unified cloud security experience, and integrated threat detection capabilities in Azure Backup—make it possible to bring security “inside” development processes, DevSecOps pipelines, and business continuity plans, shifting the center of gravity toward a more proactive model focused on reducing real-world risk.

The practical recommendation is not to simply be aware of these capabilities, but to embed them into a concrete roadmap: plan ahead for the retirement of Windows Server 2022 on Azure Arc–enabled Azure Kubernetes Service, assess data estate modernization paths, standardize observability across environments, and experiment in a controlled way with the new Azure Copilot agents and Defender’s advanced capabilities. Only in this way will it be possible to turn these innovations into competitive advantage and prepare your organization for the next phase of AI-powered management.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Microsoft recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure

Microsoft has once again been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure, for the third consecutive year, confirming the value delivered in running workloads across hybrid, edge, multicloud, and sovereign scenarios with Azure. At the heart of this result is Azure’s adaptive cloud approach, built on Azure Arc and Azure Local: the former extends Azure controls—through Azure Resource Manager—to on-premises, edge, and multicloud environments, enabling services such as Azure Kubernetes Service (AKS, Azure Kubernetes Service), Microsoft Defender for Cloud, Azure IoT Operations, and Azure AI Video Indexer; the latter brings Azure services and management into customer-owned environments, allowing local execution of cloud-native workloads, including virtual machines and Arc-enabled AKS clusters, and supporting the Sovereign Private Cloud strategy for isolated and compliant operations while maintaining consistency with Azure.

Firmware analysis enabled by Azure Arc

The firmware analysis capability enabled by Azure Arc is now available. The service provides deep visibility into the software powering Internet of Things (IoT, Internet of Things)/Operational Technology (OT, Operational Technology) devices and network appliances—systems often treated as “black boxes” with limited transparency into their security posture.
Users upload the device’s firmware image and receive a detailed report generated by automated security analysis, useful for identifying vulnerabilities, outdated components, and compliance risks in hybrid and multicloud environments governed with Arc.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

• Outbound network requirements update for Microsoft Defender for Containers: Microsoft has updated the outbound network requirements for the Microsoft Defender for Containers sensor. The change affects all subscriptions using the sensor. Effective immediately, the sensor must be able to reach the Fully Qualified Domain Name (FQDN, Fully Qualified Domain Name)
  *.cloud.defender.microsoft.com
  on port 443 over the HTTPS protocol. It is recommended to add this FQDN (and related port) to your outbound restriction mechanisms—such as proxies or firewalls. If egress traffic from clusters is not blocked, no changes are required. To validate connectivity to Defender for Containers endpoints, you can run the dedicated test script from the cluster. To avoid service disruptions, any changes on Google Kubernetes Engine (GKE, Google Kubernetes Engine) and Elastic Kubernetes Service (EKS, Elastic Kubernetes Service) must be completed by September 30, 2026; otherwise, the sensor may not function as expected.
• Microsoft Defender for Cloud: new permission for the GitHub connector (October 23, 2025). Microsoft Defender for Cloud is updating its GitHub connector to require the new
  artifact_metadata:write
  permission, needed to enable artifact attestation capabilities that ensure verifiable build provenance and strengthen software supply-chain security. The permission has a limited scope, aligned with the principle of least privilege, to facilitate swift and targeted approvals.

Backup & Resilience

Azure Backup

Vaulted Backup for Azure Data Lake Storage (preview)

Public Preview is available for Vaulted Backup for Azure Data Lake Storage (ADLS, Azure Data Lake Storage), extending in-vault protection to this service as well. The solution maintains an independent copy isolated from the source account to ensure business continuity and compliance, with restores to original or alternate accounts even in cases of accidental deletions, insider threats, or ransomware.
The solution includes flexible scheduling (daily/weekly and on-demand), long-term retention up to 10 years, and a security-first design with soft delete, immutability, encryption, and multi-user authorization to protect data in the vault.

Azure Site Recovery

Azure Site Recovery: support for Ultra Disks on virtual machines

Microsoft announces General Availability of support in Azure Site Recovery (ASR, Azure Site Recovery) for virtual machines with Ultra Disks, enabling organizations of any size to replicate, fail over, and fail back across Azure regions with minimal impact on production performance. The solution offers automated recovery orchestration, cost-optimized replication, and non-disruptive testing, helping companies increase operational resilience, meet compliance requirements, and minimize downtime. With this release, teams can reliably extend enterprise-grade protection and continuity to workloads using Ultra Disks. Ultra Disks are the highest-performance block storage option for Azure VMs, with consistent sub-millisecond latency and extremely high performance; they are therefore ideal for a broad range of mission-critical workloads, such as SAP High-Performance Analytic Appliance (HANA, High-Performance Analytic Appliance), high-end databases, and highly transactional systems that demand maximum performance.

Monitoring

Azure Monitor

Retirement of legacy authentication in Azure Monitor – Container Insights (deadline: September 30, 2026)

Microsoft will retire legacy authentication in Azure Monitor – Container Insights starting September 30, 2026. The model is being replaced by authentication via Managed Identity, which is more modern and secure and also enables capabilities not previously available, such as Syslog collection and High Scale mode.
Customers must migrate to Managed Identity by the specified date: the transition can be easily performed from the Azure portal or via CLI/PowerShell, along with bulk migration scripts provided in the official guidance.

Conclusions

The October 2025 updates outline a consistent path in the maturation of Azure’s adaptive cloud, where Azure Arc and Azure Local uniformly extend control and operational consistency across datacenters, edge, and multicloud. Microsoft’s recognition as a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure confirms this trajectory, highlighting an ecosystem capable of uniting governance, security, and data sovereignty. Within this framework, Arc-enabled firmware analysis introduces transparency into traditionally opaque IoT/OT domains; updates to Microsoft Defender for Cloud and Defender for Containers strengthen supply-chain integrity and security posture; Vaulted Backup for Azure Data Lake Storage (preview) expands protection options with isolated copies and extended retention; ASR support for Ultra Disks extends operational continuity to the most demanding workloads; and the evolution of Azure Monitor – Container Insights toward Managed Identity marks a further step toward more robust authentication models. Overall, a platform emerges that natively and distributively integrates management, protection, and observability, promoting shared standards and reducing friction across heterogeneous environments.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Azure Arc

Starting September 30, 2025, Azure App Service on Azure Arc-enabled Kubernetes will be retired and it will no longer be possible to install the extension. To continue hosting application workloads, Microsoft recommends migrating to alternative solutions such as Azure Container Apps on Azure Arc-enabled Kubernetes, which also enables you to leverage Logic Apps Hybrid. A timely assessment and migration plan is recommended to ensure completion by the deadlines, minimizing risks and service disruptions in hybrid and multicloud environments.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

• Malware automated remediation in Defender for Storage (preview): the automated remediation feature for Defender for Storage malware scanning is now available in public preview. When on-upload or on-demand scans detect malicious blobs, the contents can be soft-deleted automatically. This ensures immediate isolation while maintaining recoverability for forensic analysis purposes. The setting can be toggled at the subscription or storage account level from the Microsoft Defender for Cloud blade in the Azure portal, or via API.

• Refined attack paths: attack paths have been improved to reflect realistic risks that an adversary could use to compromise the organization. The new experience emphasizes external entry points and the attacker’s progression toward business-critical assets, providing greater clarity, focus, and prioritization. This enables security teams to respond more quickly and confidently to the most critical exposures.

• Trusted IPs for Internet exposure analysis: Defender for Cloud allows you to define trusted IP ranges to reduce false positives in Internet exposure analysis. Resources that are only accessible from trusted IPs are classified as trusted and, as a result, Defender for Cloud does not generate attack paths for those sources.

• Exposure width for Internet exposure analysis (GA): the Exposure width metric is now Generally Available in Microsoft Defender for Cloud. This capability shows how a resource is exposed to the Internet based on network rules, helping security teams quickly identify and remediate the most critical attack paths.

• Trivy dependency scanning for code repositories (update): Defender for Cloud now includes open-source dependency scanning based on Trivy in filesystem mode, to automatically detect operating system and library vulnerabilities in GitHub and Azure DevOps repositories.

Backup & Resilience

Azure Backup

Vaulted backup for Azure Files (Premium)

With Azure Backup, “in-vault” protection is now available for Premium shares as well, ensuring business continuity and compliance even in the event of accidental deletions, malicious activity, or ransomware. Vaulted backup keeps a secure, off-site copy of the data, independent of the source account.

Key capabilities of vaulted backup:

• Off-site protection: stores an independent copy of data in the vault, enabling restore even if the source account is lost or compromised. You can restore to the original account or to an alternate account.
• Resilience to deletions and attacks: isolated backups that protect against accidental deletions, insider threats, and ransomware, ensuring operational continuity.
• Automatic and flexible backups: support for daily/weekly schedules, or on-demand backups when needed.
• Long-term retention: ability to retain backup data for up to 99 years, meeting compliance and archiving requirements.
• Security by design: safeguards such as soft delete, immutability, encryption, and multi-user authorization protect data in the vault from tampering or misuse.

Azure Site Recovery

Support for virtual machines with Premium SSD v2 disks

General availability has been announced for Azure Site Recovery (ASR) support for virtual machines that use Premium SSD v2 disks. ASR enables replication across Azure regions and from on-premises to Azure, automated failover, and non-disruptive disaster recovery testing, helping ensure business continuity with built-in security, compliance, and native integration with Azure services. Premium SSD v2 delivers low latency and consistent performance, with the flexibility to scale throughput and IOPS independently—an ideal combination for enterprise workloads such as SQL Server, Oracle, SAP, and big data.

Monitoring

Azure Monitor

Azure Resource Manager: new metrics in Azure Monitor

Azure Resource Manager (ARM) introduces enhanced integration with Azure Monitor Metrics at the subscription level, enabling deeper visibility into traffic, latency, and throttling of control-plane operations. Metrics are accessible via REST API, SDKs, or directly from the Azure portal, with no opt-in required. New dimensions are also available for advanced analysis and filtering: operation type (read/write/delete), ARM request region, HTTP method, HTTP status code, status code class (2xx, 4xx, 5xx), resource type, and resource provider namespace.
These enhancements strengthen troubleshooting, capacity planning, and governance, simplifying granular monitoring of complex, distributed environments.

High Scale mode for Azure Monitor – Container Insights

Microsoft announces general availability of the High Scale mode in Container Insights, the Azure Monitor solution for collecting logs from Azure Kubernetes Service (AKS) clusters. Enabling High Scale applies a set of configuration optimizations automatically that significantly increase collection throughput, without requiring customer intervention or additional parameters. This mode supports higher telemetry loads in AKS clusters, improving observability and time-to-analysis in large-scale environments, including hybrid and multicloud scenarios integrated with Azure Arc.

Azure Managed Service for Prometheus: native Grafana dashboards in the Azure portal (preview)

Public Preview is available for the native, no-additional-cost integration of Grafana dashboards within the Azure portal for Azure Managed Service for Prometheus. With this update, you can quickly use and customize Grafana dashboards directly in the portal, avoiding the need to deploy and maintain dedicated Grafana instances or additional Azure resources. The integration streamlines observability and reduces administrative overhead, accelerating the creation of visualizations useful for monitoring and troubleshooting containerized and distributed workloads.

Conclusions

This month’s updates—from the retirement of App Service on Arc-enabled Kubernetes and the need to plan that migration in advance, to the Defender for Cloud improvements (automated remediation, more realistic attack paths, trusted IPs, and Exposure width in GA), and on to the resilience advancements with Azure Backup for Files Premium and ASR for Premium SSD v2—all converge on the same goal: reducing attack surface, increasing workload reliability, and simplifying operations at scale. On the monitoring front, the enriched ARM metrics, Container Insights’ High Scale mode, and the “native” Grafana dashboards in Managed Prometheus raise the bar for transparency and time-to-insight without adding complexity. My call to action is to turn these guidelines into concrete steps: assess and begin migrating off retiring assets, recalibrate security policies by leveraging the new prioritization and remediation capabilities, extend “in-vault” backup policies where needed, and standardize monitoring practices by adopting the latest metrics and dashboards.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Retirement of Microsoft Defender for Cloud in Microsoft Azure operated by 21Vianet

Microsoft has announced the retirement of Microsoft Defender for Cloud in the Microsoft Azure environment operated by 21Vianet (Azure in China) due to increasing infrastructure and operational complexity, which no longer allows the expected levels of stability and effectiveness to be ensured. All related features and services will be discontinued and removed on August 18, 2026; after that date, the Defender for Cloud portal and any associated services or features in that environment will no longer be accessible. To manage the transition effectively, customers are encouraged to work with their Azure (operated by 21Vianet) account representatives to assess operational impact and plan the necessary actions; further details are available in the official documentation.

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

• Defender for Storage: Optional index tags for malware scan results. Defender for Storage introduces optional index tags to record the outcomes of malware scans, both on-upload and on-demand. With this capability, users can choose whether to publish results to Blob index tags (the default setting) or not use them. Enabling or disabling can be done at the subscription and storage account levels, via the Azure portal or APIs, simplifying metadata governance and integration with triage and auditing processes.
• Defender for Storage available in Azure Government. The service helps U.S. federal and government agencies secure their storage accounts, offering in Azure Government the same functional coverage as the commercial cloud. This lets security teams adopt uniform controls aligned with public-sector compliance requirements.
• Defender CSPM and Defender for Servers Plan 2 available in Azure Government. Microsoft has made both Defender Cloud Security Posture Management (CSPM) and Defender for Servers Plan 2 available in Azure Government. This enables the Department of Defense (DoD) and civilian agencies to manage cloud security posture, strengthen compliance, and benefit from advanced capabilities for server workloads. Feature coverage is aligned with the commercial cloud, facilitating consistent standards and procedures across hybrid and multicloud environments.
• AKS Security Dashboard. Within the Azure portal, the AKS Security Dashboard provides a centralized view of security posture and runtime protection for AKS clusters. The dashboard highlights software vulnerabilities, compliance gaps, and active threats, helping teams prioritize remediations. It also enables real-time monitoring of workload protection, cluster configuration, and threat-detection signals, improving the continuous prevent–detect–respond cycle.
• Aggregated storage logs in Microsoft Defender XDR Advanced Hunting (preview). The CloudStorageAggregatedEvents table is available in preview within the Advanced Hunting experience in Microsoft Defender XDR. The table brings aggregated storage activity logs from Defender for Cloud—covering operations, authentication details, access sources, and success/error counts—into a single queryable schema, reducing noise, improving query performance, and providing a high-level view of access patterns. These logs are included at no additional cost in the new Defender for Storage plan for storage accounts, enabling more effective investigations and detections.

Governance and policy management

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Monitoring

Azure Monitor

Azure Monitor: Tenant-level Service Health alerts (preview)

Microsoft is introducing tenant-level Service Health alerts in Azure Monitor (preview), a capability that delivers proactive notifications about service health issues that affect the entire tenant—not just individual subscriptions. Alert rules can be created with directory (tenant) scope directly from the Service Health page or via the alert-creation wizard in the Azure portal. This extension provides broader visibility and accelerates response to incidents involving tenant-scoped services; for full coverage, Microsoft recommends configuring both subscription-level and tenant-level Service Health alerts.

Log Analytics: Search Job now supports up to 100 million results

Search Job in Log Analytics enables asynchronous queries across all workspace data—including long-term retention—and can land the results in new Analytics tables for downstream analysis. The maximum size per result set has been increased from 1 million to 100 million records, enabling analysis of much larger datasets without splitting queries. This capability remains central for large-scale analytics, rapid investigations, and advanced log processing, delivering a more complete and accurate view of operational data.

Conclusions

This month strongly reaffirms the shift toward a centralized, proactive, AI-powered management model: from extending security posture across hybrid and multicloud scenarios with Defender for Cloud, to operational updates like the AKS Security Dashboard and aggregated storage logs in Advanced Hunting, through to tenant-level Service Health alerts in Azure Monitor. I urge architects and IT leaders to translate these updates into concrete actions now: plan the transition ahead of already announced deadlines (e.g., the retirement of Defender for Cloud in Azure operated by 21Vianet) and enable the new controls across your tenants and workspaces (AKS Security Dashboard, directory-scoped Service Health alerts). As always, the official documentation remains the authoritative source for details and prerequisites; in upcoming installments we will continue to follow the evolution of AI-powered management with practical guidance and field-tested best practices.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The key areas we will cover in this series, along with the corresponding tools and services, include:

🔹 Hybrid and multicloud environment management – with Azure Arc, which extends policy, security, management, and automation capabilities to on-premises and multicloud resources.

🔹 AI and intelligent automation – enabled by Microsoft Copilot in Azure, AIOps capabilities, and predictive tools to streamline operations and support smarter decision-making.

🔹 Security posture across hybrid and multicloud infrastructures – using Microsoft Defender for Cloud and other native services for vulnerability management and advanced threat protection.

🔹 Governance and policy management – leveraging tools such as Azure Policy, Azure Cost Management, and Resource Graph to ensure control, standardization, and cost/resource optimization.

🔹 Update & Patching – through Azure Update Management, Azure Automation, and native patching capabilities across Azure Arc-enabled environments.

🔹 Backup & Resilience – using Azure Backup and Azure Site Recovery to ensure business continuity, data protection, and disaster recovery.

🔹 Monitoring – with tools like Azure Monitor, Log Analytics, and Application Insights for comprehensive visibility and effective troubleshooting.

Hybrid and multicloud environment management

Azure Arc

Azure File Sync Extension for Azure Arc

The Azure File Sync Arc extension is now generally available, enabling simplified deployment and management of Azure File Sync on Azure Arc–enabled Windows Servers. With this extension, you can install the Azure File Sync agent directly from the Azure portal, via PowerShell, or CLI—supporting Windows Server starting from version 2012 R2. The extension is available in all Azure File Sync–supported regions at no additional cost, marking a significant step forward in the unified management of distributed environments.

New SQL Server Database Migration Experience in Azure Arc (Preview)

A new integrated migration experience for SQL Server databases in Azure Arc environments is now available in public preview, designed to streamline the entire migration journey to Azure SQL Managed Instance. Integrated with Azure Database Migration Service, the process is now fully manageable from a single interface within the Azure portal. This centralized, automated approach offers ongoing database assessments with cost insights, simplified target provisioning, and near real-time replication support, minimizing downtime. You can also validate migration readiness through read-only replicas and client connection reports. Microsoft Copilot is embedded at key stages of the workflow, providing AI-powered decision support that makes the entire transition faster, more informed, and more reliable.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

• Four New Regulatory Compliance Standards (Preview): Microsoft Defender for Cloud is expanding its compliance support with the introduction of four new regulatory frameworks, now available in public preview for Azure, AWS, and GCP environments. The newly added standards include the Digital Operational Resilience Act (DORA), the European Union Artificial Intelligence Act (EU AI Act), the Korean Information Security Management System for Public Cloud (k-ISMS-P), and the CIS Microsoft Azure Foundations Benchmark v3.0. These frameworks can be enabled directly from the Regulatory Compliance dashboard in Microsoft Defender for Cloud, offering increasingly comprehensive coverage for multicloud scenarios. Their integration allows security and compliance teams to continuously monitor and align cloud environments with the most current and globally relevant regulations.
• Container Image Scanning Support for Chainguard and Wolfi: Microsoft Defender for Cloud’s vulnerability scanning engine—powered by Microsoft Defender Vulnerability Management—now extends its coverage to Chainguard container images and the Wolfi distribution. This new capability enables the detection of vulnerabilities within these container images, helping to validate the security of builds before they are deployed to production. The goal is to ensure that the images in use meet the highest security standards while supporting the adoption of modern, secure containerized environments. Note that expanding scan coverage to new image types may lead to increased costs, depending on the number and frequency of scans performed.

Backup & Resilience

Azure Backup

Standard Backup Policy Support for Trusted Launch Virtual Machines

Standard backup policy support for Trusted Launch–enabled virtual machines is now generally available. Trusted Launch is a key security feature for enhancing VM protection in Azure, and this update simplifies backup configuration for VMs using it—now the default setting in major VM creation flows. It ensures full operational continuity for automated processes via PowerShell, CLI, or REST API. Existing scripts require no policy changes, reducing potential errors and enhancing the resilience of backup workflows. This marks a significant step toward a secure, automated approach to backup management across cloud and hybrid environments.

Migration of Azure VM Backups from Standard to Enhanced Policy

Azure Backup now allows the migration of virtual machine backups from standard policies to enhanced policies, offering more advanced and flexible data protection. With this capability, you can schedule backups up to every 4 hours and retain snapshot-based recovery points for longer periods. Recovery points created with the enhanced policy reside in the snapshot tier and are zone-resilient, increasing reliability. Additionally, multi-disk crash consistency is supported. Migrating to an enhanced policy also enables VMs to be upgraded to Trusted Launch and to adopt Premium SSD v2 or Ultra Disk storage—without disrupting or compromising existing protection. This evolution supports a modern, scalable, and mission-critical–ready data protection strategy.

Agentless Crash-Consistent Backup for Multi-Disk Azure VMs

Azure Backup now supports agentless crash-consistent backups for multi-disk Azure virtual machines. This feature enables backups without the need to install additional software such as the VM agent or snapshot extension inside the VM. It is particularly beneficial for performance-sensitive workloads that can tolerate crash-consistent backups, minimizing downtime during backup operations. It’s also useful for systems with OS versions that do not support application-consistent or file-system–consistent backups. You can enable this functionality by specifying the desired consistency type within the backup policy.

Azure Backup: Advanced Protection for VMs with Premium SSD v2 Now Available in Norway and Japan

Azure Backup continues to enhance protection for critical workloads in hybrid cloud environments with the general availability of Geo-Redundant Storage (GRS) and Cross-Region Restore (CRR) for virtual machines using Premium SSD v2. These features provide geographically redundant backups and on-demand restores in secondary regions, ideal for audit scenarios or disaster recovery plans. Availability has now been extended to Norway West, Norway East, Japan West, and Japan East, enabling even greater resilience for performance-sensitive, distributed architectures.

Monitoring

Azure Monitor

Log Analytics Summary Rules: Efficient Analysis for High-Volume Data Streams

Microsoft has announced the general availability of Summary Rules in Log Analytics—a powerful tool designed to optimize the management of high-ingestion data streams. Summary Rules enable aggregation and summarization of data from Analytics, Basic, or Auxiliary plans, allowing for robust analysis, high-performance dashboard creation, and long-term reporting based on summarized Analytics tables. With the GA release, Microsoft has also increased the configurable rule limit per workspace to 100, a key improvement for teams managing complex and distributed environments.

Log Analytics: Enhanced Search Jobs for More Flexible Data Management

Several major enhancements to Search Jobs in Log Analytics are now generally available. Search Jobs allow asynchronous queries across all data within a workspace, including data stored in long-term retention. New improvements include a more intuitive and streamlined user interface, cost estimation prior to execution, and increased concurrency—enabling multiple jobs to run simultaneously without additional limits. Support for up to 100 million results is also coming soon, along with expanded KQL capabilities and other anticipated enhancements.

Conclusions

Once again this month, the evolution of Azure services in the areas of management and security confirms the ongoing shift toward increasingly integrated, intelligent, and proactive management of hybrid and multicloud IT environments. The latest updates—from the enhancement of Azure Arc to the increased resilience provided by Azure Backup, the continuous enrichment of Microsoft Defender for Cloud, and the new advanced monitoring capabilities—demonstrate Microsoft’s commitment to delivering practical tools to address the challenges of complexity and security. In a context where the adoption of AI and automation is becoming ever more strategic, it is essential for architects and IT leaders to stay informed and ready to seize the opportunities these innovations offer. Stay tuned for next month’s updates, as we continue to explore the developments shaping the future of IT management.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The key areas we will cover in this series, along with the corresponding tools and services, include:

🔹 Hybrid and multicloud environment management – with Azure Arc, which extends policy, security, management, and automation capabilities to on-premises and multicloud resources.

🔹 AI and intelligent automation – enabled by Microsoft Copilot in Azure, AIOps capabilities, and predictive tools to streamline operations and support smarter decision-making.

🔹 Security posture across hybrid and multicloud infrastructures – using Microsoft Defender for Cloud and other native services for vulnerability management and advanced threat protection.

🔹 Governance and policy management – leveraging tools such as Azure Policy, Azure Cost Management, and Resource Graph to ensure control, standardization, and cost/resource optimization.

🔹 Update & Patching – through Azure Update Management, Azure Automation, and native patching capabilities across Azure Arc-enabled environments.

🔹 Backup & Resilience – using Azure Backup and Azure Site Recovery to ensure business continuity, data protection, and disaster recovery.

🔹 Monitoring – with tools like Azure Monitor, Log Analytics, and Application Insights for comprehensive visibility and effective troubleshooting.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with improvements being introduced on an ongoing basis. To stay updated on the latest developments, Microsoft maintains this page, which provides information on new features, bug fixes, and deprecated functionalities. Below are the main updates for the month:

Optional index tags for malware scan results in Defender for Storage (preview) – Microsoft has announced a new feature in Public Preview for Defender for Storage that introduces support for optional index tags in malware scan results, both during file uploads and on-demand scans. This option allows users to choose whether or not to publish scan results in the blob index tags, providing greater flexibility in managing stored information. The activation or deactivation of tags can be configured at the subscription or storage account level, via the Azure portal or API. This feature enables the service to be adapted to specific needs in terms of governance, compliance, and performance.

API discovery and security posture assessment for Function Apps and Logic Apps (preview) – Defender for Cloud extends its API Discovery and API Security Posture Management capabilities to Azure Function Apps and Logic Apps, previously supported only through Azure API Management. Thanks to this extension, security teams can gain a centralized and up-to-date view of the entire API attack surface within the organization. Key features include:

• automatic inventory of APIs,
• risk assessment of outdated, exposed, or unencrypted endpoints,
• targeted remediation suggestions.

Agentless File Integrity Monitoring (preview) – File Integrity Monitoring (FIM) is now available in Public Preview in agentless mode, complementing the existing agent-based solution via Microsoft Defender for Endpoint. This new mode allows monitoring of file and registry key changes without the need to install agents, making monitoring simpler and more scalable—ideal for environments that require reduced operational complexity. Key features include:

• custom definition of paths to monitor,
• consolidation of events (agentless and agent-based) into a single table within the workspace, with clear source identification.

Agentless code scanning: GitHub support and customizable coverage (preview) – The agentless code scanning capability has been enhanced with new features, now available in Public Preview, to offer broader coverage and greater control over development environments. Notable updates include:

• native support for GitHub repositories, in addition to Azure DevOps,
• ability to choose scanning tools (e.g., Bandit, Checkov, ESLint),
• granular configuration of scan scope (projects, repositories, or entire organizations).

Governance and policy management

Azure Advisor

Azure Advisor improves VM right-sizing with new SKUs and families

Azure Advisor has expanded the scope of its virtual machine right-sizing recommendations, now including a broader range of SKUs and support for the latest VM families in the D, E, and F series.
This update enables more accurate analysis of CPU performance and provides more precise suggestions for optimizing workloads. Organizations can identify oversized VMs and resize them based on actual usage, achieving tangible benefits in terms of:

• reduced operational costs,
• minimized resource waste,
• contribution to environmental sustainability.

Azure Cost Management

Support for FOCUS 1.2 standard in Microsoft Cost Management (preview)

Microsoft has announced the Public Preview availability of support for the FinOps Open Cost and Usage Specification (FOCUS) 1.2 standard in Microsoft Cost Management. This update marks a significant step forward for FinOps teams by simplifying reporting, unifying multi-cloud billing data, and enabling financial analysis across multiple currencies.

FOCUS 1.2 is a standardized, cloud-agnostic schema designed to improve cost management across IaaS, PaaS, and SaaS services. Key updates include:

• improved column naming conventions,
• introduction of new fields to support future extensions,
• alignment with key billing constructs such as InvoiceId, ServiceModel, and AmortizationClass.

The main benefits include unified and consistent reporting, enhanced support for multi-currency scenarios, improved data quality and integrity, and streamlined FinOps workflows thanks to the schema’s increased extensibility.

Backup & Resilience

Azure Backup

Increased disk capacity for Azure virtual machine backup

Microsoft has announced the availability of extended disk capacity support for Azure VM Backup. It is now possible to protect virtual machines with individual disks up to 64 TB, with a total limit of up to 512 TB per VM. This update enhances business continuity and disaster recovery scenarios by enabling native protection—within the Azure ecosystem—even for the largest and most critical workloads.

Long-term backup for Azure Database for PostgreSQL – Flexible Server

Azure Database for PostgreSQL – Flexible Server introduces a new long-term backup capability through integration with Azure Backup. This development addresses compliance and data protection requirements by allowing custom backup policies, individual backup management, and a simplified configuration process. Key highlights include the ability to retain data for up to 10 years—an essential feature for regulated or audit-driven scenarios. These new options strengthen the data protection strategy in hybrid and multicloud environments, providing administrators with greater granularity in managing backup retention and accessibility, while ensuring regulatory and operational compliance.

Azure Site Recovery

Azure Site Recovery supports Linux VMs with Trusted Launch

Azure Site Recovery (ASR) support for Linux virtual machines with Trusted Launch is now generally available. This feature enables automated protection for Azure Generation 2 VMs that leverage the advanced security capabilities of Trusted Launch, including Secure Boot and vTPM (Virtual Trusted Platform Module). With this update, Linux VMs can now benefit from a fully managed and integrated disaster recovery solution in Azure, enhancing the resilience of environments that require high security standards. Support for Windows VMs with Trusted Launch was already available, and this extension to Linux completes the coverage, making ASR an even more robust choice for hybrid and mission-critical scenarios.

Azure Site Recovery support for virtual machines with Premium SSD v2 disks (preview)

Microsoft has announced the Public Preview of Azure Site Recovery (ASR) support for virtual machines using Premium SSD v2 disks. This enhancement extends disaster recovery capabilities to workloads that require high performance, such as SQL Server, Oracle, SAP, and big data environments. ASR enables efficient VM replication across Azure regions or from on-premises environments to the cloud, offering automated failover and the ability to run disaster recovery drills. The introduction of support for Premium SSD v2 disks—known for low latency, consistent performance, and independent scalability of IOPS and throughput—further increases flexibility and efficiency in protecting critical environments.

Support for Ultra Disks in Azure Site Recovery (preview)

Support for Azure Site Recovery (ASR) for virtual machines using Ultra Disks is now available in Public Preview. This enhancement enables advanced disaster recovery scenarios for performance-intensive workloads, extending resilience to VMs equipped with disks that offer sub-millisecond latency and extremely high throughput. Ultra Disks represent the highest-performing block storage in Azure, ideal for critical systems such as SAP HANA, enterprise-grade databases, and high-intensity transactional environments. With this update, ASR continues to strengthen its integrated workload protection offering, enabling replication across Azure regions or from on-premises environments, with features like automated failover and test failovers. It’s a key extension for organizations aiming for robust business continuity using native Azure tools for mission-critical workloads.

Monitoring

Azure Monitor

Ingestion issue monitoring with Azure Monitor Workspace (preview)

A new feature for proactive data ingestion issue monitoring in Azure Monitor Workspace is now available in Public Preview. This innovation enhances visibility into incoming data streams, allowing administrators to more easily detect errors, anomalies, or slowdowns in the monitoring pipeline. In complex and distributed environments, the ability to promptly identify such issues is essential to ensure the continuity of observability processes, improve operational responsiveness, and reduce the risk of losing critical data.

Query Editor in Azure Monitor Metrics now generally available

Microsoft has announced the General Availability of the new Query Editor within Azure Metric Explorer, now integrated with Azure Monitor Workspace. This feature enables direct querying of metric data collected from Prometheus using the PromQL language, all accessible directly from the Azure portal. This update introduces a more powerful and flexible way to explore and analyze monitoring data, allowing users to quickly gain targeted insights to optimize resources and improve performance in both cloud and hybrid environments. The native integration of PromQL in Metric Explorer represents a significant step toward more efficient, analytical, and data-driven management of distributed systems.

Conclusions

The landscape of hybrid and multicloud environment management and security continues to evolve with significant innovations. The updates introduced by Microsoft in June 2025 further strengthen organizations’ ability to protect, optimize, and effectively govern their infrastructures—both in the cloud and on-premises. The preview features of Microsoft Defender for Cloud, along with new resilience tools such as support for Ultra and Premium SSD v2 disks in Azure Site Recovery, represent a tangible step forward toward more secure, scalable, and high-performance architectures. At the same time, improvements in monitoring, cost management, and proactive resource recommendations enable more granular and informed control of distributed environments. It is essential for IT and security teams to stay up to date with these developments, adopt a data-driven approach, and progressively integrate new capabilities into their processes to ensure strong security posture and efficient governance in increasingly dynamic and complex scenarios.

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

• Provide an overview of the most relevant updates released by Microsoft;

• Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;

• Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The key areas we will cover in this series, along with the corresponding tools and services, include:

🔹 Hybrid and multicloud environment management – with Azure Arc, which extends policy, security, management, and automation capabilities to on-premises and multicloud resources.

🔹 AI and intelligent automation – enabled by Microsoft Copilot in Azure, AIOps capabilities, and predictive tools to streamline operations and support smarter decision-making.

🔹 Security posture across hybrid and multicloud infrastructures – using Microsoft Defender for Cloud and other native services for vulnerability management and advanced threat protection.

🔹 Governance and policy management – leveraging tools such as Azure Policy, Azure Cost Management, and Resource Graph to ensure control, standardization, and cost/resource optimization.

🔹 Update & Patching – through Azure Update Management, Azure Automation, and native patching capabilities across Azure Arc-enabled environments.

🔹 Backup & Resilience – using Azure Backup and Azure Site Recovery to ensure business continuity, data protection, and disaster recovery.

🔹 Monitoring – with tools like Azure Monitor, Log Analytics, and Application Insights for comprehensive visibility and effective troubleshooting.

Hybrid and multicloud environment management

Measure, manage, and reduce carbon emissions in Azure

Microsoft has announced the general availability of the carbon optimization feature in Azure, a native solution designed to help organizations measure, manage, and reduce the carbon emissions generated by their cloud workloads. Integrated directly into the Azure portal, this feature provides preconfigured dashboards and KPIs to monitor environmental impact over time. Emission data is available at the individual resource level, offering a high level of detail and the ability to identify concrete optimization opportunities. Role-Based Access Control (RBAC) ensures that only authorized users can view relevant information. Additionally, operational recommendations are provided to support both emission reduction and cost savings. This announcement reaffirms Microsoft’s commitment to supporting customers in achieving more sustainable cloud management by offering integrated tools for more environmentally conscious IT decisions. A significant step forward for organizations that prioritize these aspects.

AI and intelligent automation

Microsoft Copilot in Azure

GitHub Copilot for Azure: smarter, more integrated cloud development

GitHub Copilot for Azure is now generally available—a solution that revolutionizes cloud development through an AI assistant seamlessly integrated with Azure resources. Designed to simplify and accelerate developers’ work, this tool supports Infrastructure as Code (IaC) using languages such as Bicep and Terraform, helps proactively identify and resolve issues, and provides contextual recommendations to improve code quality in real time. Copilot proves to be a valuable ally for those designing resilient and modern architectures, transforming how code is written, distributed environments are managed, and new cloud skills are acquired. Its availability marks a concrete step toward adopting an AI-enhanced cloud management model.

AI-powered Investigation for troubleshooting in Azure Monitor (preview)

The AI-powered Investigation feature is now available in Public Preview in Azure Monitor, aimed at improving the troubleshooting experience and speeding up the detection and resolution of issues in applications and infrastructure. Artificial intelligence deeply analyzes telemetry collected by Azure Monitor—including metrics, logs, resource status, alerts, and application topology—to identify anomalies and suggest potential root causes and solutions. Analyses are personalized through direct interaction with the AI, making results more accurate and relevant. A new entity, called an “issue,” aggregates all information related to a problem, seamlessly integrating these capabilities into the alert management workflow. Currently available for Application Insights, this feature will soon expand to other resources.

Copilot in SQL Server Management Studio (preview)

The new Copilot integration in SQL Server Management Studio (SSMS) is also now in Public Preview. This AI assistant is designed to help developers and administrators write, modify, and troubleshoot T-SQL queries using natural language. Copilot leverages the database context to provide personalized responses based on the specific environment, covering areas such as maintenance, configuration, and database management—whether in the cloud or on-premises. This innovation is part of Microsoft’s broader journey toward increasingly intelligent and proactive management tools, powered by AI to boost productivity and reduce the complexity of day-to-day operations.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

• Active User (Public Preview): a new feature designed to help administrators quickly identify the most relevant users for each recommendation, based on recent control plane activity. For each recommendation, up to three active users are suggested at the resource, resource group, or subscription level. You can assign the recommendation, set a due date, and directly notify the assigned user, streamlining remediation workflows and reducing investigation time.
• General Availability of Defender for AI Services: runtime protection is now available for Azure AI services, previously known as threat protection for AI workloads. This protection covers specific AI-related scenarios such as jailbreak attempts, wallet abuse, data exposure, and suspicious access patterns, leveraging signals from Microsoft Threat Intelligence and Azure AI Prompt Shields.
• Security Copilot now GA in Defender for Cloud: the general availability of Microsoft Security Copilot enables faster risk response through AI-generated summaries, remediation suggestions, and automated notifications. Administrators can quickly summarize recommendations, generate remediation scripts, and delegate tasks via email, boosting the operational efficiency of security teams.
• Data and AI Security Dashboard: the new dashboard provides a unified and centralized view for monitoring the security posture of data and AI resources. It includes capabilities such as sensitive data discovery, identification of active AI resources (including containers, datasets, and models), and highlighting critical issues based on high-severity recommendations, alerts, and attack paths.
• Defender CSPM: Billing for MySQL and PostgreSQL Flexible Server starting June 2025: starting June 1, 2025, Microsoft will begin billing for Azure Database for MySQL Flexible Server and PostgreSQL Flexible Server workloads protected by Defender CSPM. No action is required from users, but monthly billing may change depending on the protected resources.
• Customizable filters for malware scanning on upload in Defender for Storage: Microsoft Defender for Storage now officially supports customizable filters for on-upload malware scanning. Users can define exclusion rules based on blob path prefixes or suffixes, as well as blob size. This update allows non-critical or temporary files, such as logs or transient files, to be excluded from scanning—optimizing security processes and helping reduce operational costs.

Governance and policy management

Azure Cost Management

Advanced Exports in Cost Management

Advanced exports in Cost Management are now generally available across all Azure regions and clouds. This feature introduces significant improvements in how organizations can automate the analysis of cost and usage data. Key enhancements include an expanded set of exportable datasets (including price sheets, recommendations, and reservation details), new export formats (CSV with Gzip compression, Parquet with Snappy compression), and support for the FinOps Open Cost and Usage Specification (FOCUS) version 1.0. Organizations can now configure partitioned files, enable overwrites, retrieve historical data (up to thirteen months via the portal, seven years through the REST API), and export to storage accounts protected by firewalls or network policies. Schema versioning is also supported, ensuring compatibility with existing data pipelines. This update is extremely valuable for streamlining FinOps workflows, managing costs at scale, and aligning with enterprise security and compliance requirements.

Improvements to Purchase Details in Cost Management for MCA Customers (Preview)

By June, new preview features will enhance purchase details in Cost Management for customers under the Microsoft Customer Agreement (MCA). The improvements primarily focus on reserved instances (RIs), Azure savings plans (ASPs), and third-party purchases made through the Azure Marketplace. Users will be able to view the subscription ID associated with RIs and ASPs, simplifying showback and chargeback activities. Start and end dates will display the full duration of the offer, and cost data will be available in both the billing currency and US dollars, facilitating comparison with list prices. For monthly-billed offers, the

Backup & Resilience

Azure Backup

Backup for Azure Database for PostgreSQL – Flexible Server

The Vaulted Backup feature for Azure Database for PostgreSQL – Flexible Server is now generally available and managed through Azure Backup. This solution offers scalable and secure backups with fully automated management via scheduled policies, eliminating the need for manual intervention. Key benefits include enhanced security through immutable vaults and role-based access controls, long-term retention (LTR) of up to 10 years to meet global regulatory requirements, and enterprise-level management via the Azure Business Continuity Center, which enables unified operations and governance of all protected resources from a single console. This is an ideal solution for businesses and developers who require operational continuity and regulatory compliance in critical environments.

GRS and CRR Support for Azure Backup with Premium SSD v2 Expanded to New Regions

Geo-Redundant Storage (GRS) and Cross-Region Restore (CRR) support in Azure Backup for virtual machines using Premium SSD v2 is now available in even more regions. Premium SSD v2 is a high-performance block storage solution that offers low latency, high IOPS, and high throughput at a cost-effective rate. With GRS and CRR, data can be protected from irreversible loss and restored on demand in a secondary region, making this functionality ideal for audit or disaster recovery scenarios. Newly supported regions include Brazil South, South Central US, North Central US, East US 2, Central US, UK West, UK South, Canada East, Canada Central, West US, West Central US, West US 2, Australia Southeast, and Australia East. A strategic solution for ensuring the resilience of critical workloads.

Azure Backup for Elastic SAN (Preview)

Microsoft has announced the public preview of Azure Backup support for Elastic SAN—a fully managed solution for protecting and restoring Elastic SAN volumes. This integration allows data to be safeguarded against accidental deletion, ransomware attacks, and application updates by exporting Elastic SAN volumes into incremental Managed Disk snapshots, independent of the lifecycle of the original volumes. The snapshots are stored using locally redundant storage (LRS) and support up to 450 recovery points with a backup frequency of up to every 24 hours. Currently, the feature is available only in select Azure regions and supports volumes up to 4 TiB. During this preview phase, long-term vault backups and hourly backups are not available. There is no Azure Backup Protected Instance cost, but standard rates apply for incremental snapshots. This marks an important step toward native, scalable protection of modern SAN environments hosted in Azure.

Monitoring

Azure Monitor

Cross-region replication for Log Analytics Workspace

Cross-region replication for Log Analytics Workspace is now generally available. This feature enhances the resilience of distributed monitoring environments by allowing administrators to enable a replica of the workspace in a secondary geographic region. Once activated, the replication enables simultaneous log ingestion in both regions, ensuring uninterrupted visibility through dashboards, alerts, and advanced solutions like Microsoft Sentinel—even in the event of a regional outage. This represents a significant advancement in business continuity management for critical or geographically distributed environments.

Increased record limit per query in Log Analytics to 100,000

Azure Monitor Log Analytics has increased the record limit per query in the UI to 100,000, up from the previous limit of 30,000. This enhancement enables deeper analysis and more detailed investigations directly within the Azure portal, without the need for external tools to process large volumes of data. To enable this option, simply select “Max. limit” from the “Show” menu in the Logs interface or set it as the default value. Microsoft is actively monitoring usage and performance to assess future extensions. For even larger-scale analysis, exports of up to 500,000 records via API remain available.

Managed Prometheus visualizations and enhanced monitoring for AKS

Managed Prometheus-based visualizations in Azure Monitor are now generally available, offering a unified and enhanced monitoring experience for Azure Kubernetes Service (AKS). This update allows users to centralize all critical information for AKS cluster management in a single view, overcoming the limitations of previous Log Analytics-based dashboards. With integrated managed Prometheus, customers benefit from a more cost-effective and responsive observability solution. Key capabilities include: cost optimization by migrating from Log Analytics to Prometheus, improved query performance, integration with recommended Prometheus-based alerts, visibility into control plane components for deeper diagnostics, and an optimized multi-cluster view for large-scale monitoring. A significant step forward for managing containerized environments in Azure.

Recommended Prometheus alerts now available for AKS cluster

Recommended community Prometheus alerts are now directly available for Azure Kubernetes Service (AKS) clusters through the Azure portal. This feature significantly simplifies monitoring management by eliminating the need to download templates or use command-line tools. The predefined alerts provide comprehensive coverage across all layers of the cluster—infrastructure, nodes, and pods. The goal is to deliver a powerful tool for timely anomaly detection, simplified diagnostics, and enhanced reliability for containerized applications. Integration with managed Prometheus metrics further strengthens Microsoft’s strategy for centralized, proactive, and cloud-native operations management.

Simple Log Alerts in Azure Monitor (Preview)

As of May, the new Simple Log Alerts feature in Azure Monitor is available in Public Preview. Designed to simplify alert creation and improve event detection timeliness, this feature differs from Log Search-based alerts, which evaluate sets of rows over a time window. Simple Log Alerts evaluate each row individually, enabling near real-time notifications. With simplified use of KQL, alerts can be defined quickly and intuitively. This solution also supports log tiers previously excluded from alerting, such as Basic Logs and Analytics. The pricing model is similar to traditional alerts, with minute-based evaluation billing. This is a particularly useful feature in operational scenarios that require fast and granular responses.

Prometheus Community Recommended Alerts for Arc-enabled Kubernetes Clusters (Preview)

In Public Preview, one-click activation of Prometheus community recommended alerts is now available for Kubernetes clusters managed via Azure Arc. Accessible directly from the Azure portal, these alerts provide comprehensive coverage for cluster, node, and pod metrics, based on community-refined Prometheus rules. Previously, enabling these alerts required manual operations via CLI and templates. To activate them, the Azure Monitor managed service for Prometheus must be enabled on the cluster.

Managed Prometheus for Arc-enabled Kubernetes Clusters in Azure Monitor (Preview)

A new Azure Monitor feature is now in Public Preview, allowing telemetry data visualization for Arc-enabled Kubernetes clusters using Managed Prometheus. This integration offers a more performant and cost-effective alternative to collecting metric data via Log Analytics. With this update, customers can: reduce costs by migrating to Prometheus-managed metrics, improve query performance, adopt preconfigured Prometheus-based alert rules, and centrally monitor multiple clusters at scale. This marks an important evolution for managing distributed containerized environments, simplifying monitoring while maintaining high levels of control and resource optimization.

Granular RBAC in Log Analytics Workspaces (Preview)

A new feature in Public Preview enables more granular access control in Azure Monitor’s Log Analytics Workspaces. Through integration with Azure Attribute-Based Access Control (ABAC), it is now possible to define row-level RBAC within the same centralized workspace. This allows organizations to segment data access based on criteria such as job role, organizational unit, geographic location, or data sensitivity. This approach enables more precise governance aligned with least-privilege principles while retaining the advantages of a centralized log platform. It is especially well-suited for complex enterprise environments with high security requirements.

Conclusions

The latest updates from Microsoft for Azure confirm a clear and strategic direction: making the cloud increasingly sustainable, secure, and governable. The integration of artificial intelligence into tools such as GitHub Copilot for Azure, SQL Server Management Studio, and Azure Monitor is no longer a future promise—it is a concrete reality that is transforming the way developers, administrators, and analysts work every day. At the same time, the focus on sustainability—with native features for monitoring and reducing carbon emissions—marks a significant step toward more responsible and environmentally conscious IT. In parallel, improvements in security posture—thanks to Microsoft Defender for Cloud—and advancements in monitoring and backup help strengthen the resilience of hybrid and multicloud environments. Lastly, the latest innovations in governance and FinOps provide increasingly advanced tools for cost optimization and consumption transparency, benefiting both IT teams and financial decision-makers.